One of the security layers used for automotive in-vehicle networks is secure on-board communication (SecOC). This security measure may add an authentication layer on top of existing in-vehicle messages and communication. An example of a SecOC specification can be found in the automotive open system architecture (“AUTOSAR”) specification. It should be appreciated that SecOC is given hereinafter as an example of message authentication schemes, while other schemes may also be utilized.
In-vehicle networks allow internal communication between various components of a vehicle (e.g., air conditioning system, diagnostics, engine, etc.) by communicating with different electronic control units (ECUs). An electronic control unit gets input from sensors (e.g., speed, temperature, pressure, etc.) to be used in its analysis and exchange data among themselves during the normal operation of the vehicle. For example, the engine needs to tell the transmission what the engine speed is, and the transmission needs to tell other modules when a gear shift occurs. The in-vehicle network allows exchanging data quickly and reliably, with internal communication between the ECUs.
SecOC may be based on a shared secret (or encoded message) between at least the sender and the receiver. The sender may use this shared secret in order to generate a message authentication code (MAC) and add it to the relevant messages. The receiver may validate the MAC in order to make sure it was sent by the sender.
This MAC may result in a hash function or any other function over parts of the message and other metadata. For example, the hash may be calculated over the shared secret and the message data. A freshness value may also be used in the MAC calculation in order to prevent possible attackers from performing replay attacks. This freshness value may include a time stamp. This freshness value may include a counter. The MAC may include a truncation of the original hash function result due to packet size limits on the in-vehicle network.
SecOC implementation may use a secure time mechanism in order to derive the proper time for the calculation of the freshness value while keeping the sender and the receiver in sync. Additionally, SecOC implementations may also rely on a key exchange mechanism in order to derive the shared secrets.
SecOC may be used to secure the critical and valuable processes in the vehicle. Therefore, tampering with SecOC implementations may cause substantial damage from a single point of failure in the system. However, the SecOC security layer may also be compromised, for example, in order to either allow malicious messages to be treated as if they are authenticated or to block legitimate in-vehicle communication.